[openstack-dev] [puppet][operators] How to specify Keystone v3 credentials?

Rich Megginson rmeggins at redhat.com
Mon May 4 23:35:27 UTC 2015

I'm currently working on Keystone v3 support in the openstack puppet 

The way authentication works with the Icehouse branch is that 
puppet-keystone reads the admin_token and admin_endpoint from 
/etc/keystone/keystone.conf and passes these to the keystone command via 
the OS_SERVICE_TOKEN env. var. and the --os-endpoint argument, respectively.

This will not work on a node where Keystone is not installed (unless you 
copy /etc/keystone/keystone.conf to all of your nodes).

I am assuming there are admins/operators that have actually deployed 
OpenStack using puppet on nodes where Keystone is not installed?

If so, how?  How do you specify the authentication credentials?  Do you 
use environment variables?  If so, how are they specified?

For Keystone v3, in order to use v3 for authentication, and in order to 
use the v3 identity api, there must be some way to specify the various 
domains to use - the domain for the user, the domain for the project, or 
the domain to get a domain scoped token.

There is a similar issue when creating domain scoped resources like 
users and projects.  As opposed to editing dozens of manifests to add 
domain parameters to every user and project (and the classes that call 
keystone_user/tenant, and the classes that call those classes, etc.), is 
there some mechanism to specify a default domain to use?  If not, what 
about using the same mechanism used today to specify the Keystone 

The goal is that all keystone domain scoped resources will eventually 
require specifying a domain, but that will take quite a while and I 
would like to provide an incremental upgrade path.

More information about the OpenStack-dev mailing list